[Dnssec-trigger] resolv.conf content after dnssec-trigger stop

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Nov 25 13:39:59 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tomas,

Thanks for this and the one-more-line modification.

I put it into the fedora/ subdirectory, but if you want it could be
elsewhere (the main dir and installed somewhere?).

Best regards,
   Wouter

On 11/21/2013 05:09 PM, Tomas Hozza wrote:
> Hi.
> 
> I finished and successfully tested the script for backing-up and
> restoring resolv.conf. Its behaviour was consulted with QE and it
> works as follows:
> 
> 1. if called as "dnssec-trigger-resolvconf-handle.sh backup" - if
> NM is configured with "dns=none" it copies resolv.conf into
> /var/run/dnssec-trigger
> 
> 2. if called as "dnssec-trigger-resolvconf-handle.sh restore" - if
> backup in /var/run/dnssec-trigger exists and NM is configured with
> "dns=none" it will restore the resolv.conf - else it will obtain
> current list of nameservers and writes them into resolv.conf until
> NM rewrites it.
> 
> I'm working with systemd guys on the right systemd.service file,
> because systemd had some problems with creating transaction. But
> this is for sure doable, since I have couple of other ways how to
> make it work.
> 
> I'm CCing also dnssec-trigger mailing-list, since I think such
> script should be included in the upstream repo if agreed that it is
> good.
> 
> 
> Thanks.
> 
> Regards,
> 
> Tomas Hozza
> 
> ----- Original Message -----
>> 
>> [ ExecStop script ]
>> 
>> Good idea. Note that an unrelated bug sometimes causes
>> dnssec-triggerd to write a resolv.conf without any nameserver
>> entry. I've filed that as bug upstream and they confirmed it. We
>> might need to poke them a few times to get it fixed though.
>> 
>>>> I was recently thinking about the situation that happens if
>>>> you stop dnssec-trigger on the system. dnssec-trigger will
>>>> leave most probably (depending on the state it was in) 
>>>> "127.0.0.1" in resolv.conf. This can cause a really 
>>>> frustrating user experience, since NM will not write DNS 
>>>> servers IP addresses into it until next network change.
>>>> 
>>>> Currently there is no way how to tell NM to write the 
>>>> configuration into the resolv.conf besides restarting it.
>> 
>> This should get folded into a NM plugin, so NM can fully control
>> resolv.conf and we can restrict selinux to only allow NM to write
>> /etc/resolv.conf. It would also remove the need for making it
>> immutable. Problem is, we are all busy people....
>> 
>> Paul
>> 
>> 
>> 
>> 
>> _______________________________________________ dnssec-trigger
>> mailing list dnssec-trigger at NLnetLabs.nl 
>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSk1MvAAoJEJ9vHC1+BF+N+d8QAKtIpnM4Ncc9Ubt7fqIaH8kf
kzsbl/CVOZL//rNAMxQ4MY1X/6PQrfBAlc4w+TqmtefkCcKfzrKRgmexOK4bJArg
Q+vezG8Be33owYilWblPJ89B/dfGvylDs/vDuzlf5sAHhu6tG78rydYaEJnOXI+u
3qiShapixkSX6nlUEcRrvpKjcnzmVA2Up9MmuH0O2PuaBzOVF7Ux6IFjJDhq8seE
dqNSPX+xRUb0qpMGnCxcT876z/GC78KtRigtdYCIdxZHKLE1ucBWAdFONd5BjV7h
B8JtnMMWt/1D6aN+TM4IkDHMLgZoIHFz2hUv5kItY5mJuao/Vaj2y5GrCVo2fLpb
3CP1t8+aInw/kTbTUsvzIf4VbVU8AU35m4HbWRoDZLsZ+r22snw0537L1EG4vN4h
Xf0rTCyEFIYhwmIfHpPVjMIh/60T8Vb6ouc2AvcghaGwHivxb8uqrCdBqlrnaWtN
K8HaOcwy3BWCikaTYVJis8tuORmqB+G0LR0jFLmkjpiRe5KTEYaaVYv68lXdxvte
TYz1TiGUba0IzC6x5nFCCEPxeJqjsVQvlsJIbqGMGbDq6dzLCelbtv9idPocbltX
Nu6PwW27F9QxXuQ1Qc47K+eQzzUM7Ji2dQNpLXDtfAGBmi1bEbvpy3p5CExhtoIT
gViUdymG7uLgJza4yy+A
=3h7g
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list